CVE-2011-1947

Summary

CVE	CVE-2011-1947
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2011-06-02 19:55:03 UTC
Updated	2026-04-29 01:13:23 UTC
Description	fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.

Risk And Classification

Primary CVSS: v2.0 5 from [email protected]

AV:N/AC:L/Au:N/C:N/I:N/A:P

Problem Types: CWE-399 | n/a

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Fetchmail	Fetchmail	5.9.10	All	All	All
Application	Fetchmail	Fetchmail	5.9.11	All	All	All
Application	Fetchmail	Fetchmail	5.9.13	All	All	All
Application	Fetchmail	Fetchmail	5.9.9	All	All	All
Application	Fetchmail	Fetchmail	6.0.0	All	All	All
Application	Fetchmail	Fetchmail	6.1.0	All	All	All
Application	Fetchmail	Fetchmail	6.1.3	All	All	All
Application	Fetchmail	Fetchmail	6.2.0	All	All	All
Application	Fetchmail	Fetchmail	6.2.1	All	All	All
Application	Fetchmail	Fetchmail	6.2.2	All	All	All
Application	Fetchmail	Fetchmail	6.2.3	All	All	All
Application	Fetchmail	Fetchmail	6.2.4	All	All	All
Application	Fetchmail	Fetchmail	6.2.5	All	All	All
Application	Fetchmail	Fetchmail	6.2.5.1	All	All	All
Application	Fetchmail	Fetchmail	6.2.5.2	All	All	All
Application	Fetchmail	Fetchmail	6.2.5.4	All	All	All
Application	Fetchmail	Fetchmail	6.2.6	pre4	All	All
Application	Fetchmail	Fetchmail	6.2.6	pre8	All	All
Application	Fetchmail	Fetchmail	6.2.6	pre9	All	All
Application	Fetchmail	Fetchmail	6.2.9	rc10	All	All
Application	Fetchmail	Fetchmail	6.2.9	rc3	All	All
Application	Fetchmail	Fetchmail	6.2.9	rc4	All	All
Application	Fetchmail	Fetchmail	6.2.9	rc5	All	All
Application	Fetchmail	Fetchmail	6.2.9	rc7	All	All
Application	Fetchmail	Fetchmail	6.2.9	rc8	All	All
Application	Fetchmail	Fetchmail	6.2.9	rc9	All	All
Application	Fetchmail	Fetchmail	6.3.0	All	All	All
Application	Fetchmail	Fetchmail	6.3.1	All	All	All
Application	Fetchmail	Fetchmail	6.3.10	All	All	All
Application	Fetchmail	Fetchmail	6.3.11	All	All	All
Application	Fetchmail	Fetchmail	6.3.12	All	All	All
Application	Fetchmail	Fetchmail	6.3.13	All	All	All
Application	Fetchmail	Fetchmail	6.3.14	All	All	All
Application	Fetchmail	Fetchmail	6.3.15	All	All	All
Application	Fetchmail	Fetchmail	6.3.16	All	All	All
Application	Fetchmail	Fetchmail	6.3.17	All	All	All
Application	Fetchmail	Fetchmail	6.3.18	All	All	All
Application	Fetchmail	Fetchmail	6.3.19	All	All	All
Application	Fetchmail	Fetchmail	6.3.2	All	All	All
Application	Fetchmail	Fetchmail	6.3.3	All	All	All
Application	Fetchmail	Fetchmail	6.3.4	All	All	All
Application	Fetchmail	Fetchmail	6.3.5	All	All	All
Application	Fetchmail	Fetchmail	6.3.6	All	All	All
Application	Fetchmail	Fetchmail	6.3.6	rc1	All	All
Application	Fetchmail	Fetchmail	6.3.6	rc2	All	All
Application	Fetchmail	Fetchmail	6.3.6	rc3	All	All
Application	Fetchmail	Fetchmail	6.3.6	rc4	All	All
Application	Fetchmail	Fetchmail	6.3.6	rc5	All	All
Application	Fetchmail	Fetchmail	6.3.7	All	All	All
Application	Fetchmail	Fetchmail	6.3.8	All	All	All
Application	Fetchmail	Fetchmail	6.3.9	All	All	All
Application	Fetchmail	Fetchmail	6.3.9	rc2	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

References

Reference	Source	Link	Tags
[SECURITY] Fedora 14 Update: fetchmail-6.3.20-1.fc14	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org
gitorious.org/fetchmail/fetchmail/blobs/legacy_63/fetchmail-SA-2011-01.txt	af854a3a-2127-422b-91ae-364da2661108	gitorious.org
[SECURITY] Fedora 15 Update: fetchmail-6.3.20-1.fc15	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org
oss-security - CVE request for fetchmail STARTTLS hang (Denial of Service)	af854a3a-2127-422b-91ae-364da2661108	openwall.com
oss-security - Re: CVE request for fetchmail STARTTLS hang (Denial of Service)	af854a3a-2127-422b-91ae-364da2661108	openwall.com
oss-security - Re: CVE request for fetchmail STARTTLS hang (Denial of Service)	af854a3a-2127-422b-91ae-364da2661108	openwall.com
[SECURITY] Fedora 13 Update: fetchmail-6.3.20-1.fc13	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org
www.fetchmail.info/fetchmail-SA-2011-01.txt	af854a3a-2127-422b-91ae-364da2661108	www.fetchmail.info
Support / Security / Advisories / / MDVSA-2011:107 \| Mandriva	af854a3a-2127-422b-91ae-364da2661108	www.mandriva.com
IBM X-Force Exchange	af854a3a-2127-422b-91ae-364da2661108	exchange.xforce.ibmcloud.com
Fetchmail STARTTLS Blocking IO Bug Lets Remote Users Deny Service - SecurityTracker	af854a3a-2127-422b-91ae-364da2661108	www.securitytracker.com
oss-security - Re: CVE request for fetchmail STARTTLS hang (Denial of Service)	af854a3a-2127-422b-91ae-364da2661108	openwall.com
Fetchmail STARTTLS Remote Denial of Service Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com
SecurityFocus	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.